add helper decorator to ensure signleton roles see the proper role list

2026-01-17 12:41:19 -03:30 · 2016-07-01 10:38:02 -04:00 · 2016-07-01 10:38:02 -04:00 · 16bc0cdf0b
commit 16bc0cdf0b
parent 47893613a2
2 changed files with 20 additions and 6 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@ -1193,12 +1193,6 @@ class UserRolesList(SubListCreateAttachDetachAPIView):
            raise PermissionDenied()
        content_type = ContentType.objects.get_for_model(User)

-        sys_admin = Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR)
-        sys_audit = Role.singleton(ROLE_SINGLETON_SYSTEM_AUDITOR)
-
-        if self.request.user in sys_admin or self.request.user in sys_audit:
-            return u.roles.all().exclude(content_type=content_type, object_id=u.id)
-
        return Role.filter_visible_roles(self.request.user, u.roles.all()) \
                   .exclude(content_type=content_type, object_id=u.id)

--- a/awx/main/models/rbac.py
+++ b/awx/main/models/rbac.py
@ -61,6 +61,24 @@ role_descriptions = {

 tls = threading.local() # thread local storage

+
+def check_singleton(func):
+    '''
+    check_singleton is a decorator that checks if a user given
+    to a `visible_roles` method is in either of our singleton roles (Admin, Auditor)
+    and if so, returns their full list of roles without filtering.
+    '''
+    def wrapper(*args, **kwargs):
+        sys_admin = Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR)
+        sys_audit = Role.singleton(ROLE_SINGLETON_SYSTEM_AUDITOR)
+        user = args[0]
+        if user in sys_admin or user in sys_audit:
+            if len(args) == 2:
+                return args[1]
+            return user.roles.all()
+        return func(*args, **kwargs)
+    return wrapper
+
@contextlib.contextmanager
 def batch_role_ancestor_rebuilding(allow_nesting=False):
    '''
@ -352,6 +370,7 @@ class Role(models.Model):


    @staticmethod
+    @check_singleton
    def visible_roles(user):
        sql_params = {
            'ancestors_table': Role.ancestors.through._meta.db_table,
@ -372,6 +391,7 @@ class Role(models.Model):
        return qs

    @staticmethod
+    @check_singleton
    def filter_visible_roles(user, roles_qs):
        sql_params = {
            'ancestors_table': Role.ancestors.through._meta.db_table,